Manage application policies

This topic describes how administrators can view and manage application security policies.

Overview

The Secure Web Sessions portal displays all the SSO applications that you can apply policies to. For each application, you can apply specific protections and security layers. For CyberArk Identity applications, you can also apply security layers either by group membership, or to individual users.

You can apply 4 types of security layers:

Security layer

Description

Step Recording

Monitors and records all user actions and events and use of the application.

The recording is not a video, but a step-by-step log with screenshots, and is fully searchable.

User events are captured locally in the browser via the Secure Web Sessions browser extension.

For more information, see What is Step Recording?

Session Protection

Protect the users web session in the browser, and the specific tab. This protects high-risk web sessions from malicious processes originating on the endpoint.

The following protections can be applied:

  • Block file downloads, context menu and clipboard actions

  • Enforce EPM protection

For more information, see What is Session Protection?

Continuous Authentication

Validates and verifies the user throughout their web session, based on certain conditions.

For more information, see What is Continuous Authentication?

Session Control

Implement controls and/or sends notifications based on rules that define specific user actions.

For more information, see What is Session Control?

Set security layers for application members

Use this procedure to set the security layers for members of an application.

Applies to CyberArk Identity SSO applications only.

  1. From the Secure Web Sessions portal, go the Application policies page, and select a CyberArk Identity application.

  2. To change the security layers for all members of the application:

    1. In the table heading, select the security layer/s you want applied to all members.

    2. In the pop-up message, click Add.

  3. To change the security layers for individual users or groups:

    1. Click the Edit button in the row of the group or user.

    2. Select the security layers you want to apply, and click Save.

Edit security layers per application

  1. From the Secure Web Sessions portal, go the Application policies page and select an application.

  2. Click the Edit button. In the pop-up message, select the security layers you want to apply for this application, and click Save.

Define security layer settings per application policy

From the Secure Web Sessions portal, go the Application policies page, select an application, and click the Settings tab.

Section

Description

General

 

Identity app key

The application key received from CyberArk Identity.

Application detection mode

  • Automatic mode - When the toggle is set to ON, recordings are triggered based on the root URLs of the configured app. For example, for AWS dynamic URLs, some of the URLs that would be included are aws.com/users and aws.com/services.

  • Manual mode - When enabled, Secure Web Sessions starts monitoring from the domains or specific application pages (URL's) you enter. (Wildcards * are supported).

    Cloud console applications (e.g. Azure, AWS) are tracked using both the URL and the username. This improves targeting and policy enforcement between parallel cloud console sessions using different accounts.

  • Automatic/Manual excluded domains or URLs - Add application domains or specific application pages (URLs) that you want to exclude from being recorded. This list is applicable whether you select Automatic or Manual mode.

    login.cyberark.com

    https://eu123.cyberark.com/WildCardUsageHere?*

    https://eu123.cyberark.com/ThisPage

    If an exclude list is added in Settings > Security layers, this list applies to all application policies in this tenant. The tenant level exclude list overrides the app specific exclude list.

Terminate user session from WPM authenticated app after x minutes

This feature is particularly designed for CyberArk Identity applications that use user name and password authentication.

Set the number of minutes after which the users app session will end. The user will be required to start a new session from the IdP the next time they want to use the app.

Minimum: 60 minutes

Default: 1440 minutes

Max: 1440 minutes

Additionally, you can set up a warning message for users, notifying them before their session is about to be terminated.

Min: 1 minutes

Default: 5 minutes

Max: 10 minutes

This feature enhances users privacy by tracking the authentication cookies for the particular app session. This means that even if the application's default is to allow a long-lived session before requiring users to re-authenticate, if at all, SWS will be able to end the app session, requiring the user to re-authenticate the next time the application is accessed.

Step Recording

 

Watermark on screens

Allows you to add a watermark to the session recording screenshots. The watermark will have a grid-like appearance covering the entire image with the text "Secured by CyberArk Secure Web Sessions".

Optionally, you can also add metadata with the watermark that includes the username, IP address, application name, and timestamp.

Session protection

Set the level of session protection you want applied to application sessions:

  • Block file downloads, context menu and clipboard actions - Blocks the following actions in an application session:

    • Cut/copy text from a protected session

    • Paste text to a protected session

    • Drag and drop action on text in a protected session

    • File downloads, including drag and drop of files from a protected session to a local repository

    • Open the context menu in a protected session

    This option is enabled by default.

  • Enforce EPM protection - Enforces EPM protections in an application session.

    To enforce EPM protection for a specific application, you need to first configure and enable integration from Settings > Security layers. For more information, see Configure Session Protection and EPM integration .

Continuous authentication

Apply the Enforce pedometer lock to lock a sensitive web session when the end user has taken the maximum configured number of footsteps. This is to monitor if a session might have been left unattended.

When the maximum number of steps is reached, the end user is required to re-authenticate to their session with a QR code using the CyberArk Mobile app.

This feature is enabled in Settings > Security layers.

Set default security layers for new application members

Use this procedure to set the default security layers that will be applied to new members of an application.

Applies to CyberArk Identity SSO applications only.

 

New applications enabled for SWS have step recording enabled by default.

  1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

  2. From the Members table, go to the Default security layers for new members row, and click Edit from the quick menu.

  3. In the pop-up message, select the security layers you want to apply, and click Save default.

    The saved default security layers will be applied to all new members added for this application.

Change member security layers

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click on the row of a member to view its details.

  3. From the Security layers tab, enable or disable the security layers for this member.

Assign Session Control rules to a member

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

    The list shows the currently assigned rules.

  4. To assign rules to this member, do one of the following:

    • Click Select all

    • Select specific rules and click Assign rules

  5. Click Save.

Manage Session Control rules

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

  4. Hover over the row of a rule to delete, edit, or view the session recordings where this rule appears.

    You can click View steps to view the specific steps in the timeline where the rule was triggered.

    When you click on a specific rule, you can also view the recent user actions that triggered the rule, and the list of members assigned to the rule.

Import / Export rules

Importing and exporting rules allows you to efficiently manage Session Control rules by exporting them for backup or sharing purposes and importing them to apply new rules quickly.

To export rules:
  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

  4. Select the check box next to the rules you want to export or click Select All.

  5. Click Export. A prompt confirms the action. Read the message carefully and click Export again.

    The export process begins upon confirmation. Rules are exported into a JSON file and saved on your local computer. The name of the file is <appName_SWSrule_yy-mm-dd.JSON>

To import rules:

A maximum of 300 rules is allowed for import per application.

  1. Go to the Application policies page, and select an application.

  2. From the Members tab, click the row of a member to view its details.

  3. Select the Session Control rules tab.

  4. Click Import rules.

  5. A prompt message opens recommending to review the rules before import. Click Proceed to continue.

    A file selector for JSON files opens.

  6. Select the JSON file with the rules you want to import, and click Open.

    A prompt window with success and errors opens.

  7. Review the imported rules and click Proceed.

    Rules are imported as inactive. Review the imported rules and activate as required.

Deactivate application policies

When new applications are configured with SWS, by default they are in active mode. This means that SWS security layers are applied when users access the application.

You can deactivate application policies so that users are no longer routed through SWS security layers. Deactivating application policies does not delete any configurations, and can be activated again at any time.

  1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

  2. Change the toggle from Active to Inactive.

Delete application policies

Step recording limitations

  • Keyboard shortcut user action doesn't trigger a recorded step.

  • Drag-and-drop isn't recorded as a user action.

  • Web applications based on WebGL might not capture all user actions when using step recording. Some of Microsoft Office applications use this technology. Therefore, while recordings of Office 365 web apps include the name and type of files, users actions done inside the file won't be captured.